---
title: "What is EPSS? A new rating system for exploitability of vulnerabilities."
description: "LunaSec Security Researchers give a quick look at the EPSS scoring system, a new rating system for vulnerabilities focused on likelihood of exploitability."
slug: what-is-epss
date: 2022-11-21T12:00:00.000Z
keywords: [cybersecurity, epss, cvss, scoring, first]
tags: [security, appsec, sdlc, cvss, epss]
authors: [forrest, alex, free]
---
<!--
  ~ Copyright by LunaSec (owned by Refinery Labs, Inc)
  ~
  ~ Licensed under the Creative Commons Attribution-ShareAlike 4.0 International
  ~ (the "License"); you may not use this file except in compliance with the
  ~ License. You may obtain a copy of the License at
  ~
  ~ https://creativecommons.org/licenses/by-sa/4.0/legalcode
  ~
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
  ~
-->

<iframe width="100%" height="400" src="https://www.youtube-nocookie.com/embed/agiHb4peGCI" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

## Vulnerability Severity Scoring

Most Security folks are already familiar with [CVSS](https://www.first.org/cvss/v3.1/specification-document) as a framework used by
NVD to try to assign a quantifiable severity score to vulnerabilities. They also know to never take CVSS scores at face value and to always view them with a grain of salt.

Why can't we trust CVSS alone? Simply put: Because CVSS doesn't include how likely a vulnerability is to be exploited _in reality_. It's just a formula that lives in a vacuum and lacks the context necessary to help organizations accurately assess the risk of a breach if left unpatched.

That's where an exciting new effort, called EPSS, comes in.

## What is EPSS?

<!--truncate-->

EPSS stands for "Exploit Prediction Scoring System" and it's an attempt to quantify how likely a given CVE is to _actually_ be exploited by attackers in the wild.

The scoring system behind EPSS outputs a probability of the estimated likelihood of exploitation from 0 to 1 or 0% to 100%. Heartbleed has a CVSSv2 score of 5.0/10 and an EPSS score of 0.960760000 (it's 7.5/10 in CVSSv3). 

## How does EPSS work?

EPSS scores are published by the EPSS volunteers. The API is provided by [FIRST](https://www.first.org/about/).
They've [made scores available](https://www.first.org/epss/data_stats) for **all CVEs in the published state**.

## How is EPSS generated?

The **EPSS is generated by machine learning (ML).** If you ask us, the documentation could be a little more up front about that.

The model itself is proprietary, full stop.[^2] Too bad, because we would love to get our hands on it.

## What data does EPSS use?

It uses a combination of public and proprietary data. Below is a list of some of the data sources.

(If you jump to the end there, you'll see that the private data is also probably the most crucial: **real world information from
Security Information and Event Management (SIEM) tools.**)

:::info Official source list [^3]
* MITRE’s CVE List - Only CVEs in the “published” state are scored
* Text-based “Tags” derived from the CVE description and other sources talking about the vulnerability
* Count of how many days the CVE has been published
* Count of how many references are listed in the CVE
* Published Exploit code in any of: Metasploit, ExploitDB and/or Github
* Security Scanners: Jaeles, Intrigue, Nuclei, sn1per
* CVSS v3 vectors as published in the National Vulnerability Database (NVD)
* CPE (vendor) information as published in NVD
* Ground Truth: Daily observations of exploitation-in-the-wild activity from AlienVault and Fortinet.
:::

This makes sense: If you have real world data about how much a vulnerability is really being exploited, as tracked by real humans
through these SIEM tools, you've got a pretty good idea of how much a vulnerability actually matters. You can close the loop.

Naturally, as this data changes, the score is recalculated. This seems to happen roughly daily, at least for important vulnerabilities, as new factors come into play like the maturity of an exploit and as reports of real-world exploitation are observed.

## How to view an EPSS Score

There's a free, public [JSON API](https://www.first.org/epss/api). It's pretty straightforward, but it's far from being the most friendly UX out there!

To test it out, let's ask it about everyone's favorite
vulnerability, [Log4Shell](https://www.lunasec.io/docs/blog/log4j-zero-day/).

:::note API Response for Log4Shell

```json title="curl https://api.first.org/data/v1/epss\?cve\=CVE-2021-44228 "
{
  "cve": "CVE-2021-44228",
  "epss": "0.954660000",
  "percentile": "0.999720000",
  "date": "2022-11-30"
}
```
:::

That score of ~0.97 is out of a maximum of 1.0, which makes a ton of sense considering that Log4Shell [melted the internet](https://www.wired.com/story/log4j-flaw-hacking-internet/) when it was first discovered.

## What EPSS doesn't do

### Environmental score
EPSS does not consider any variables related to the environment. By this, I mean there is no "frontend score" or
"backend score". It's just a single, one dimensional value spit out by the algorithm.

That's too bad for us, because one of the problems we are trying to solve with [LunaTrace](/pages/lunatrace/overview/introduction/)
is tuning our vulnerability prioritization to consider the environment the code is running in. We are working hard to build our own source
of signal for that.

### The results are opaque

CVSS scores are calculated based on a limited set of inputs and the mathematical formula can be manually computed with a calculator in just a few minutes.

In contrast the opaque machine learning based approach of EPSS is very resistant to manual human calculation.
The model is not Open Source and it is more difficult
to introspect the results. The only output ever surfaced to consumers is the EPSS score itself, a value between 0 and 1.

## Is EPSS relevant?

As far as we can tell, EPSS is a good idea and is a much needed step that helps companies effectively prioritize their security efforts.

But, while it's an exciting system that will eventually help solve the problem of too many CVEs being [false positives](https://www.lunasec.io/docs/blog/the-issue-with-vuln-scanners/), it's still early in it's maturity and very few security tools even include it today. There is also more validation required before security experts are willing to put their weight behind recommending that companies or standards rely on EPSS[^4].

## How to try out EPSS

We've been adding EPSS support to our security tool, LunaTrace, available on GitHub[^5][^6] that automatically scans your packages for known CVEs and gives you a dashboard to filter by risk scores like CVSS and EPSS. (In addition to helping you quickly patch them.)

If you'd like to see a scan of your project's dependencies, you can do so for free in a few clicks by [signing up for LunaTrace](https://lunatrace.lunasec.io/?ref=epss-blog) and pointing it at your repo. If you'd like participate in testing out our EPSS support, we ask that you sign up and then [message us on Discord](https://discord.gg/2EbHdAR5w7) to request access.

Thanks for reading and we hope that you found this information about EPSS helpful!

## Resources

[^1]: [EPSS API Documentation](https://www.first.org/epss/api)

[^2]: [EPSS FAQ](https://www.first.org/epss/faq#:~:text=Can%20I%20look%20at%20the%20underlying%20data/model/code%3F)

[^3]: [EPSS Model](https://www.first.org/epss/model#:~:text=Data%20Architecture%20and%20Sources)

[^4]: [An analysis of EPSS by Carnegie Melon University](https://insights.sei.cmu.edu/blog/probably-dont-rely-on-epss-yet/)

[^5]: [Add EPSS Support to LunaTrace](https://github.com/lunasec-io/lunasec/issues/1006)

[^6]: [LunaTrace Repository](https://github.com/lunasec-io/lunasec)
